This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 442187 - [PATCH] support for providing console password in STDIN
[PATCH] support for providing console password in STDIN
Status: CLOSED CURRENTRELEASE
Product: 389
Classification: Community
Component: Directory Console (Show other bugs)
1.1.0
All Linux
low Severity low
: ---
: ---
Assigned To: Rich Megginson
Chandrasekar Kannan
:
Depends On:
Blocks: 249650 FDS112
  Show dependency treegraph
 
Reported: 2008-04-12 11:10 EDT by Aleksander Adamowski
Modified: 2015-01-04 18:31 EST (History)
2 users (show)

See Also:
Fixed In Version: 8.1
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2009-04-29 19:03:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)
Patch against Console.java (1.43 KB, patch)
2008-04-12 11:10 EDT, Aleksander Adamowski
no flags Details | Diff
ZIP with the compiled Console class (20.02 KB, application/zip)
2008-04-12 11:15 EDT, Aleksander Adamowski
no flags Details
A better patch (2.85 KB, patch)
2008-04-12 11:43 EDT, Aleksander Adamowski
no flags Details | Diff
Corrected patch (2.91 KB, patch)
2008-04-12 11:52 EDT, Aleksander Adamowski
no flags Details | Diff
ZIP with the compiled class - latest version (20.29 KB, application/octet-stream)
2008-04-12 11:55 EDT, Aleksander Adamowski
no flags Details
cvs commit log (225 bytes, text/plain)
2008-06-23 19:03 EDT, Rich Megginson
no flags Details

  None (edit)
Description Aleksander Adamowski 2008-04-12 11:10:40 EDT
Description of problem:

Currently the IDM console accepts an undocumented command line argument "-w
password", which allows for logging in to administration server without
interactive password prompt by supplying the plain text password on command line.

There's a serious security vulnerability here: the plain text password is
clearly visible to all other users of the system where the console runs, as its
arguments ca be read from the system's process table.

A much better approach would be to supply the password on standard input.

Implementing this was quite simple - I'm attaching a patch that implements the
option "-W" (that's inspired by the arguments to OpenLDAP's ldapsearch utility:
over there "-w" stands for password on the command line, "-W" is for password on
standard input. "-y filename" means password will be read from a file - it would
be a nice idea to implement that too).


Version-Release number of selected component (if applicable): 1.1.0
Comment 1 Aleksander Adamowski 2008-04-12 11:10:40 EDT
Created attachment 302223 [details]
Patch against Console.java
Comment 2 Aleksander Adamowski 2008-04-12 11:15:10 EDT
Created attachment 302224 [details]
ZIP with the compiled Console class

For your testing convenience, I'm attaching a compiled version of the modified
class.

In order to use it, simply replace the Console class files in the
idm-console-mcc-1.1.0.jar JAR archive, they reside in JAR's subdirectory named
"/com/netscape/management/client/console/".
Comment 3 Aleksander Adamowski 2008-04-12 11:43:06 EDT
Created attachment 302225 [details]
A better patch

Another version of the patch:

1) in order to be consistent with FDS's ldapsearch argument naming conventions,
it uses "-w -" for reading password from standard input. FDS's ldapsearch
reserves "-W" for reading SSL certificate password.
2) implements the "-y" argument for reading password from a file
3) documents the (until now) undocumented options in the syntax help output
("-h").
Comment 4 Aleksander Adamowski 2008-04-12 11:52:50 EDT
Created attachment 302231 [details]
Corrected patch

I forgot to close the password file after I'm done with it. This should be the
final version.
Comment 5 Aleksander Adamowski 2008-04-12 11:55:04 EDT
Created attachment 302232 [details]
ZIP with the compiled class - latest version
Comment 6 Aleksander Adamowski 2008-06-23 18:48:17 EDT
How about checking this in? There's nothing more preventing the checkin AFAIK.
Comment 7 Rich Megginson 2008-06-23 19:03:32 EDT
Created attachment 310084 [details]
cvs commit log
Comment 8 Fedora Update System 2008-09-04 15:50:40 EDT
idm-console-framework-1.1.2-1.fc8 has been submitted as an update for Fedora 8.
http://admin.fedoraproject.org/updates/idm-console-framework-1.1.2-1.fc8
Comment 9 Fedora Update System 2008-09-04 15:51:28 EDT
idm-console-framework-1.1.2-1.fc9 has been submitted as an update for Fedora 9.
http://admin.fedoraproject.org/updates/idm-console-framework-1.1.2-1.fc9
Comment 10 Fedora Update System 2008-09-11 13:03:18 EDT
idm-console-framework-1.1.2-1.fc8 has been pushed to the Fedora 8 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 11 Fedora Update System 2008-09-11 13:13:25 EDT
idm-console-framework-1.1.2-1.fc9 has been pushed to the Fedora 9 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 12 Yi Zhang 2009-03-30 18:34:06 EDT
verified on rhel5 32bit & hp-ux
test result: pass 

pass means the following
1. no password being recorded in log files (including admin server access and error log file and dirsrv server access and error log file)
2. -w option still works fine
Comment 13 Chandrasekar Kannan 2009-04-29 19:03:45 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHEA-2009-0455.html

Note You need to log in before you can comment on or make changes to this bug.